Sentinel

A Sentinel policy can include imports which enable a policy to access reusable libraries, external data and functions. Terraform Cloud provides four built-in imports that can be used for a policy check:

An import for tfplan has already been configured in the stub policy

Rules

#

# A sentinel policy for S3 buckets that enforces required tags are provided
# and bucket acl is set to private
  
import "tfplan/v2" as tfplan
  
# Filter S3 buckets
  
# Rule to require "department" and "environment" tags
required_tags = ["department", "environment"]
tag_violators = filter s3_buckets as address, bucket {
  any required_tags as rtag {
    rtag not in bucket.change.after.tags
  }
}
  
bucket_should_have_required_tags = rule {
  tag_violators is empty
}
  
# Filter S3 ACLs and Rule to require "private" ACL on all buckets
s3_bucket_acls = filter tfplan.resource_changes as address, rc {
  rc.type is "aws_s3_bucket_acl" and
  (rc.change.actions contains "create" or rc.change.actions is ["update"])
}
acl_violators = filter s3_bucket_acls as address, bucket {
  bucket.change.after.acl != "private"
}
bucket_acl_should_be_private = rule {
  acl_violators is empty
}
  
# Main rule that requires other rules to be true
main = rule {
  bucket_should_have_required_tags and
  bucket_acl_should_be_private
}

In this rule we are using an any expression to test if any of the required tags are not present in the bucket’s list of tags after changes are applied. If a tag is found to be missing, the expression evaluates to true and the resource is added to the violators list. The rule expects the violators list to be empty. If the list is not empty it indicates violators were found and the rule expression evaluates to false. Our Terraform config could have contained any number of resources including multiple S3 buckets. The first filter expression gets us all s3_buckets, the second filter expression filters out all buckets that are in violation of our rule.

Let’s add our second rule to enforce a private ACL on our buckets. This time we are filtering for instances of the aws_s3_bucket_acl resource and then selecting resources where our required value is not used.

Sentinel CLI

#

The Sentinel CLI allows for the development and testing of policies outside of TFC/TFE. Sentinel Mocks are imports used to mock the data available to the Sentinel engine when its runs after a plan operation in TFE/TFC.

Sentinel imports are structured as a series of collections with a number of attributes. The structure of each standard import is clearly documented.

Mock data can be easily generated using the Terraform Cloud UI or the API after a plan has executed.

Mocks

#

Using Mocks

#

For Sentinel to use to use mocks, the CLI must be provided with a configuration file. This can be specified using the -config=path flag.

Let’s run our first local policy test using the Sentinel CLI:

cd /root/workspace/sentinel sentinel apply -config=sentinel-mocks.hcl restrict-s3-buckets.sentinel

Every policy set requires a configuration file named sentinel.hcl. This configuration file defines:

1. Each policy that is part of the set and where to find it
2. The enforcement level of each policy
3. Any sentinel modules which need to be made available to policies in the set.

Sentinel modules allow sentinel code to be shared and imported, reducing the amount of boilerplate code required in each policy. We are not using a module in this lab but you can see examples here

We need a sentinel.hcl to configure our policy set. For now we are enforcing only 1 policy. Because it can be dangerous to have public buckets we will require hard-mandatory enforcement. Use the Code Editor to update the file at /root/workspace/sentinel/sentinel.hcl with:

policy "restrict-s3-buckets" {
  source            = "./restrict-s3-buckets.sentinel"
  enforcement_level = "hard-mandatory"
}

The source for a policy defined in a set can be a path relative to the configuration file or a remote HTTP/HTTPS source.